• .

    From August Abolins@2:221/1.58 to All on Thursday, April 27, 2023 08:42:00

    cc: INTERNET, MOBILE, SECURITY, SN_INTEL

    https://www.kuketz-blog.de/mailbox-org-entdeckt-
    unverschluesselte-passwortuebertragung-in-mymail/

    Severe safety issue in mymail app found.


    Google Translate yields --

    mailbox.org discovers unencrypted password transmission in myMail

    The mailbox.org team recently discovered a critical
    vulnerability in the myMail client for iOS, which leads to
    unencrypted transmission of user passwords and emails.

    mailbox.org became aware of the problem after customers pointed
    out transmission errors in the user forum that occurred when
    sending emails via the myMail client. After examining the logs,
    the team found that the myMail app was attempting to transmit
    passwords without the otherwise required TLS encryption . After
    the connection was established, the app did not send the usual STARTTLS-Kommando, but instead continued to transmit the user's
    unencrypted login data. This enabled mailbox.org to extract or
    read the passwords from the connection logs.

    According to Peer Heinlein, managing director of mailbox.org,
    their e-mail servers consistently reject such unencrypted
    connections in order to ensure user security. This is the only
    reason why the connection attempts of the myMail app failed, so
    that users and postmasters of mailbox.org were taken aback.

    This problem is not only relevant for mailbox.org customers: It
    also represents a general security risk for all users who use
    the myMail client. Content and passwords can be read and tapped
    by third parties, especially if the users are in an open
    network (e.g. WiFi airport, train, etc.). If other providers
    allow unencrypted connections and are used in connection with
    the current version of the myMail app, attackers can also read
    the content of the unencrypted e-mails.

    Therefore, mailbox.org strongly recommends not using the myMail
    client in connection with their service or other e-mail
    providers until the developers of the app have fixed the
    security problems. There are numerous alternative email clients
    that offer higher security standards and protect privacy
    better. At the same time, the current incident once again
    underlines the importance of communicating exclusively via
    systems that are configured securely and enforce encryption.


    --- OpenXP 5.0.57
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
  • From August Abolins@2:221/1.58 to All on Wednesday, October 25, 2023 23:05:00
    More:

    https://www.businessinsider.com/google-can-give-police-keyword-data-from-search-histories-2020-10

    Documents from an arson attack linked to the R Kelly investigation show how Google hands 'keyword' search data to police

    Isobel Asher Hamilton

    5-6 minutes

    A court document relating to an alleged associate of singer
    R Kelly show that police investigators sent something
    called a "keyword warrant" to Google. Police were looking
    into an arson attack on a car outside the home of a witness
    in the R Kelly case. Google provided IP addresses of
    everyone who'd searched for the arson victim's address
    within a certain timeframe, which allowed police to
    pinpoint a suspect. The arson victim is a witness involved
    in the ongoing sexual racketeering case against R Kelly.
    The suspect, Michael Williams, is a family relation of R
    Kelly's former publicist. The warrant shows how police are
    increasingly able to issue broad warrants to tech
    companies, rather than focusing on individuals.

    A newly unsealed court document related to an alleged associate
    of singer R Kelly shows how Google can hand over data about
    what people search to the police.

    The court filing was submitted in July but unsealed on
    Wednesday. It details a police investigation into an arson
    attack on a car outside of the home of a witness involved in
    the ongoing sexual racketeering case against R Kelly.

    The court document showed that investigators linked Michael
    Williams - a family relation of R Kelly's former publicist - to
    the arson by sending something called a "keyword warrant" to
    Google. Specifically, police asked Google for any data on
    "users who had searched the address of the residence close in
    time to the arson."

    Google sent a list of IP addresses that had searched for the
    arson victim's address. Two IP addresses were linked to
    Williams' phone number, which police then used to track the
    phone's location. They were then able to determine the device
    was near the victim's car at the time of the arson attack.

    Per CNET, investigators then obtained a warrant for Williams'
    personal search history, which showed he'd searched for the
    terms: "where can i buy a .50 custom machine gun," "witness
    intimidation," and "countries that don't have extradition with
    the United States."

    Although requests for broad data sets to tech giants from
    police are not new, this case lays out exactly how tech
    companies co-operate with officers.

    "We require a warrant and push to narrow the scope of these
    particular demands when overly broad, including by objecting in
    court when appropriate," Richard Salgado, Google's director of
    law enforcement and information security, told CNET.

    "These data demands represent less than 1% of total warrants
    and a small fraction of the overall legal demands for user data
    that we currently receive," he added.

    The original warrant sent to Google has not yet been unsealed,
    but Williams' attorney Todd Spodek said he planned to challenge
    its legality, per CNET. "Think of the ramifications in the
    future if everyone who searched something in the privacy of
    their own home was subject to interviews by federal agents,"
    Spodek said.

    Albert Fox Cahn, the executive director of the Surveillance
    Technology Oversight Project, also told CNET he thought keyword
    warrants could be in violation of the Fourth Amendment.

    "When a court authorizes a data dump of every person who
    searched for a specific term or address, it's likely
    unconstitutional," said Cahn.
    --
    ../|ug

    --- OpenXP 5.0.57
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)